Email Backup vs Archiving Graphic

Email backup, email archiving: what’s the difference, and why shouldn’t businesses just rely on one or the other? We explain.

 

Email is alive and well – and growing!

The daily business email volume worldwide will increase from 112.5 billion in 2015 to 128.8 billion in 2019, according to this downloadable report from The Radicati Group.

So there’s an enormous challenge involved in ensuring copies of emails are retained in a manner that both enables them to be quickly accessed in order to support ‘business as usual’ activities, but delivers more extensive and detailed transparency for the purposes of regulatory compliance.

This is the essential difference between email backup and email archiving. Email backup is largely about business continuity, whereas email archiving is largely about protecting a business’s ‘licence to operate’.

Email archiving: a matter of legal record

Email archiving and email backup are two very different beasts – and here’s why.

Email archiving focuses on retaining emails and associated data to ensure legal and regulatory compliance.

Archiving solutions can therefore hold many years’ worth of data demanded by compliance requirements, even for heavily regulated industries like healthcare, banking and finance, pharma, and so on. Email backup does not retain data this long.

Also, email archiving can hold a 100% faithful copy of the email that has been received or sent, because it retains even deleted mails, which backup does not.

Lastly, email backup typically has very granular tools to satisfy compliance requirements around considerations like access control, audit trails, content integrity, and so on – not something you’d typically find in a backup solution.

As an example, take a look at the features in the Libraesva Email Archiver. You’ll see a whole host of refinements that email backup doesn’t offer, including, amongst others:

  • 80 separate permissions to create finely differentiated user roles and restrict access to sensitive information (important for GDPR compliance!)
  • Trusted time-stamping of each email, to securely keep track of creation and modification times
  • Legal hold, to freeze email and data pending litigation or investigation
  • Anti-tampering, to prevent retrospective adulteration of email content and data

Email backup: copy, restore, recover

The objective of email backup, on the other hand, is to easily recover and restore email that is essential to business activity, when that email has either been deleted or made inaccessible in some other way (e.g. by file corruption, deactivation of a leaver’s account, or even a ransomware attack.)

It can be tempting for businesses to convince themselves they don’t really need this service. After all, with cloud services like Office 365, G-Suite and others, isn’t email already backed up - and in some of the most robust data centres in the world?

Actually, no. Once the recycle bin is manually or automatically purged (and that can be after as little as 30 days) the data is gone…forever.

It follows, then, that cloud services still need backup sitting behind them somewhere, and the most readily accessible place to put it is elsewhere in the cloud (cloud-to-cloud backup).

So, for example, a solution like Cloud Ally will back up all the emails (and other data) contained in cloud services like Office 365 Exchange, Sharepoint Online, OneDrive, SalesForce, G-Suite, Box and others) to a cloud-based AWS S3 data centre that is ISO 27001-certified - and indeed to other user-owned storage too.

This process is automated, enabling a business to easily recover backed-up email long after the cloud service providers would have junked it.

So why do businesses need both email backup and email archiving?

Clearly, email backup and email archiving share some DNA.

But neither is a substitute for the other. In fact both, used incorrectly, are risky, and can put the brakes on businesses’ productivity.

Email archiving boasts powerful storage, search and retrieval powers, but for most everyday users - whose emphasis is simply on being able to find and restore email content and attachments, rather than delivering them as legal records in an approved regulatory format – it’s unnecessarily sophisticated to learn and use.

By the same token, the snapshots generated by email backup solutions, whilst typically simple for users to navigate and restore, do not offer the same historical completeness as email archiving – and any attempt to make them do so in answer to a regulatory investigation or similar would entail many hours’ work manually stitching the snapshots together.

Two sides of the same coin? Perhaps. But businesses need both in the bag, or they could end up paying a hefty price - operationally, reputationally, and in the law courts!

Heimdal Security logoHow would your customers feel if they had a Norse warrior stopping malware from reaching their endpoints? Meet Denmark’s Heimdal Security.

In days of old, the sight of Vikings on the horizon was enough to turn decent peasants’ blood to ice.

But the marauding Danes are now playing poacher-turned-gamekeeper – at least in IT security terms.

Because instead of being the threat, they’re now stopping the threats before they make landfall. (Or, at least, before they reach your customers’ endpoints!)

This is what our newest vendor partner Heimdal Security sees as its killer battle cry when compared to traditional endpoint security. And here’s why malware needs to be very afraid of it.

From last-ditch to proactive: endpoint protection transformed

“Form square and stick out your spears” – that’s basically the traditional approach to endpoint protection. Once the problem has hit the machine, the security software rings the panic bell, musters the garrison, and mounts a defence.

We Brits tried that against the (real) Vikings. It didn’t work.

But if we could have spotted their boats as they cast off – or, even better, seen activity on the quayside that indicated an attack being prepared – we could have taken proactive action against them before they reached Blighty.

This is exactly what Heimdal does. Instead of looking at application code and signatures in files that have already entered the endpoint, to work out if there’s a threat, it looks at the undercurrents in the ‘sea’ of network and internet traffic entering and leaving your customers’ businesses, to detect danger before it surfaces.

Rather cleverly, though, this isn’t just about identifying when users are being taken to places they shouldn’t be sailing towards – e.g. malicious websites – and blocking the connection to them before it’s made (although this is certainly important, as we explore below).

It’s also about using advanced machine-learning, heuristics and network forensics to detect apparently harmless network file ‘plankton’ that is in fact fodder for a coming malware attack.

Traditional security protects an endpoint with a last-ditch defence. Heimdal protects it by turning the entire network into a shield wall.

Which one are you betting your krone on?

Multi Layered Security Graphic
Conventional endpoint security is typically missing the traffic-based anti-malware protection that Heimdal delivers.

“Probably the best malware protection in the world…”

The famous Danish beer ad is tongue in cheek. But there’s a serious point to be made here about the strains of malware that Heimdal can protect against that many other security solutions simply can’t.

Take ransomware, for example. Traditional endpoint security looks for malicious code within files, but a ransomware-triggering hyperlink, or instruction to connect to a website, is neither a file nor, in itself, an inherently malicious piece of code. So, the endpoint security software doesn’t spot it.

But Heimdal is looking at the network, not the endpoint. It detects and blocks the malicious connections (to malvertising, legitimate but compromised web banners, malicious iFrames and redirects, botnets etc.) that signal an intention to activate or propagate attack strains like APTs, ransomware, Trojans, polymorphic malware and others.

In short, Heimdal gets stuck into the melee long before the blunt old endpoint battle-axe can!

Automatic software updates: that’s 85% of web app attacks defeated!

Exploit kits and other threats that exploit programs’ existing security weaknesses are a huge worry for traditional endpoint security vendors, because these weaknesses often exist at a lower level than that at which the security solutions operate.

Consequently, exploits can slip underneath the endpoint radar (the bad guys must feel like they’ve died and gone to Valhalla!)

They’re a huge worry for your customers, too, given that some 85% of web app attacks (like the kind that typically trigger ransomware and steal personal financial data) take hold of endpoints through an existing unpatched security hole of this kind.

But here, Heimdal have put a real edge on their sword. They have coupled their network traffic analysis with an automatic software update tool, to ensure that your customers’ internet-facing and non-internet-facing apps  – from Acrobat to Audacity, Flash to Firefox, Java to Jitsi, and many others besides – are constantly and automatically updated with the latest security fixes and patches, thus denying exploit kits an entry point.

The most security-critical applications are often those that are not concerned with security at all – how’s that for a typically innovative Scandinavian way of looking at a problem?

Why Heimdal
“Proactive” is a word you’ll hear a lot from Heimdal – and the automatic patching capability that embodies it is a good third of the company’s overall value proposition. (Click to enlarge)

Heimdal: the new word in security

Bloodthirsty or not, the Vikings gave their name to some very beneficial concepts. The word ‘law’ comes into English from their language, for example – and from where we’re sitting it looks like they’ve done it again with ‘Heimdal’!

(Loosely translated, we think the name means: “Stop the thing that’s trying to attack the longboat before it reaches the longboat.” Genius.)

Time some of your customers learnt some Danish, perhaps?

Read the latest helpful updates on ransomware and cloud security from our industry partners and contacts.

We like to put our partner and media contacts to good use in helping you and your customers to understand the security landscape.

This month, we bring you three helpful new updates – two guides to ransomware (and how to defeat it) and the other an interesting short article from Cloudworks on the benefits of cloud security for small and medium businesses.

Business guide to ransomware

New from AppRiver, this guide is subtitled ‘Understand, Analyze and Protect’, and is a very readable resource covering what ransomware is, how it works, how it spreads, and the best practices and employee training that can help defend against it.

Ransomware: Malwarebytes bytes back!

Another take on ransomware and how to combat it comes from security experts Malwarebytes, who major on the importance of endpoint security (keeping PCs and devices protected) in this informative and short PDF.

Five reasons why cloud security is important for SMEs

Big servers, large infrastructure, lots of IT staff – these are all security components that SMEs just can’t afford! This is why they must look cloudward – and this article from Cloudworks describes the benefits of cloud security neatly.

We’ll be back with more helpful advice soon!

AppRiver Nautical PlatformAppRiver’s Nautical platform makes all aspects of security service provision manageable from a “single pane of glass”. We look at the benefits.

For security service providers, or resellers wanting to break into the MSP space, there is a double challenge at hand: selecting solutions whose performance will delight their customers, yet that are easy enough to “drive” on a day-to-day basis to prevent margins being eaten away by costly management overheads.

This is why the appearance of AppRiver’s Nautical platform has set our antennae a-twitching. It promises a unified management console that enables service providers to deliver and manage a raft of cloud-based security solutions from one place, without the profit-sapping expense.

Here are just a few ways in which that could benefit service providers and their business.

The business benefits of Nautical, (1): Devolved management

Managing everything from under a “single pane of glass” is a seductive sell, but (I hear you say) doesn’t that just make for a crammed and complex window onto your world, which in turn drives management and admin costs up?

But Nautical turns this on its head, by enabling role-based interaction, so that different users each have different views of what is under the pane and can exercise different levels of control over it – and this includes the end-users themselves.

In this way, management workflows are made more targeted and efficient, but also flexibly devolved to customers where possible - taking even more of the admin burden off the service provider’s desk.

AppRiver Nautical Management
A single pane of glass, multiple kinds of access and interaction - cost reduction through targeted workflows and customer self-service (Click to enlarge)

The business benefits of Nautical, (2): Easy upscaling

Theoretically, cloud-delivered services can easily scale up to meet the needs of increasing numbers of end-users, thus supporting service providers’ revenue growth.

But critical to this process is the ease with which those new users can actually be brought on board. All the cloud service capacity in the world is no money-spinner if it is difficult, time-consuming and costly to connect users to it.

One of the killer new features in Nautical is a configurable user account management function that enables new users to be brought on board, and the overall user count to be increased, very easily.

Previously, this would have entailed multiple workflows in multiple environments; using Nautical, however, it is now a far simpler (and therefore cheaper) process.

AppRiver easy upscaling
More users, more usage, more revenue – and bringing them on board’s a cinch (Click to enlarge)

The business benefits of Nautical, (3): App-style agility and healthchecks

To go back to a previous point, bringing on additional users also inevitably drives demand for more products and services. Any service provider that delivers on the first point but not the second is painting themselves into a corner.

Nautical, however, makes it possible for both service providers and their customers to add and integrate new products and services with the kind of pick-and-mix agility you’d expect from something like an app store.

But (I again hear you ask) doesn’t that, in itself, create another management challenge – namely, monitoring all those disparate products and services without excessive (and expensive) manual intervention?

Here, too, Nautical comes up with the goods, thanks to its cross-product diagnostics that deliver a single, regular, unified application healthcheck to service providers’ customers and all the solutions they’re using.

Apps on demand
Apps on demand – and a unified monitoring and management system to keep them profitable (Click to enlarge)

What else should you know about Nautical?

Nautical has been described as “an entire channel programme in one portal”, but what’s really striking is that this deep integration across all aspects of security service provision comes at no charge.

Nautical simply becomes automatically available when a service provider chooses to deliver AppRiver’s security solutions – including anti-spam / anti-virus, web protection, email encryption, Exchange and mailbox protection – and this of course covers existing AppRiver service providers, too.

All in all, Nautical takes the hard work out of delivering MSP services that can really boost service providers’ bottom line, by making all business activities manageable from one place.

Now that really is something you should know.

Business Continuity2017 will see greater demand for security products than ever before. Backup and recovery are predicted to be big business for security channel partners!

Security predictions for 2017 are coming thick and fast – and there’s little for businesses to be cheery about.

“A major bank will fall as a result of cyber-attack,” the BBC relates in this article, whilst, at the other end of the scale, a solicitor has found itself embroiled in an email fraud scam that has, to date, left a homeowner £67,000 out of pocket.

But it’s perhaps ransomware, explored in a previous post, that will see the most noticeable growth in 2017, and it’s a major factor driving businesses’ and security partners’ interest in business continuity solutions like backup and recovery.

After all, if a business can reinstate critical backed-up data at will, ransomware loses much of its bite, and therefore its attractiveness to those who perpetrate it!

So what does an effective business continuity solution look like?

Business continuity solutions – what to look for

True business continuity is about more than just security applications – there’s a whole host of cultural and organisational requirements too, as this basic guide from CSO Online explains.

But from the solutions point of view, business continuity is basically about two things: reliable and bomb-proof (perhaps literally!) data backup, and rapid data recovery.

Two metrics are critical, here: Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

The former dictates how much data a business could afford to lose before it caused any real and lasting damage – and therefore reflects considerations like how often backups need to be performed, what volumes and formats of data need to be involved, and how robust the backup environment is.

The latter dictates how rapidly that backed-up data can not only be accessed (hint: off-site tapes just don’t cut it any more!) but actually redeployed in a form that the business’s hungry systems can once again get to work on – not just files and folders, but settings, too - to get the business back on its feet post-incident.

Between them, these two metrics hinge on a host of solution capabilities that can be problematic.

For example, one oft-cited issue is that when backup and recovery data is being streamed back into a stricken business, the data can’t be accessed or used until the recovery process is complete – and that can take many precious hours, days, or even longer. Unhelpful.

Reliance on recovery via hardware is also a sticking point, since it may be impaired by the very hack that caused the data incident in the first place (ransomware is a very good example of this!)

What’s the appetite for business continuity solutions in 2017?

Nonetheless, business continuity has been a problem crying out for a solution for a long time before 2017; ransomware has simply put an especially shrill edge on it!

Scary statistics abound; did you know, for example, that according to a study by Onyx Group, 71% of UK SMEs only ever manage to back up part of their data?

Or that 75% of SMBs have no disaster recovery plans in place at all?

But even more terrifying, when considered in the light of the ransomware issue, is that, according to one estimate, 58% of small businesses could not withstand any amount of data loss whatsoever!

Think about that for a moment. It means the hackers’ job is made much, much easier. Even holding the slightest amount of a business’s data to ransom could easily provoke a payout. Minimum effort, maximum return – which means more hackers getting involved in this kind of activity in the future, of course!

Not for nothing is the Business Continuity Institute’s agenda focused “overwhelmingly” on cyber-resilience in 2017.

(And in case you’re wondering, the disaster recovery-as-a-service market, in which backup will play a key role, is estimated to be worth $11.11 billion - £8.83 billion - by 2021. Ripe for the picking!)

Where can I check out the latest business continuity solutions?

Clearly, what we’ve said above also means that the competitive landscape for security partners in this space is going to become challenging.

But for an insight into how one backup and recovery solution is evolving to deliver both strengthened protection to end-users and a more compelling proposition to the security partners who sell to them, take a look at this data backup and recovery features update.

And keep watching this series of blogs – we’ll be looking at a whole range of security solutions for 2017, covering email, web, cloud, data centre, and Office 365.

General data protection regulationGDPR is coming! Here’s what the security channel needs to focus on to create opportunity out of regulatory upheaval.

On 25th May 2018, the EU General Data Protection Regulations (GDPR) become law.

But despite the burden of compliance that this places on the channel, isn’t it also a major opportunity for channel partners to sell more of the solutions that help end-users to address GDPR-related issues?

Here’s what we found when we dug into GDPR, and the opportunities it potentially presents, a little further…

GDPR opportunities – 1: Greater technology freedom?

A noteworthy feature of GDPR is that it does not prescribe specific data protection technologies – like a certain encryption algorithm, for example – and, therefore, does not automatically exclude others.

Instead, it prescribes processes, meaning that partners potentially have greater freedom than before to choose from a palette of vendor solutions that can satisfy those process requirements.

It’s a growth outlook reinforced by the IT industry’s most high-profile membership and training organisation, CompTIA. They have publicly stated to IT channel partners that GDPR means “Clients will be relying on their providers to help them meet regulations, which is a great opportunity to build on your relationships, all while creating new business with current and potential end users.”

So, given that GDPR is seemingly less proscriptive on the technology front than we might have previously assumed, what are the GDPR hot topics to which security partners’ offerings need to provide a compelling (and compliant) response, if they are to make the most of the opportunities at hand?

 GDPR opportunities – 2: Data protection controls

GDPR has serious teeth, but given our background in security software distribution, and from the point of view of security partners’ offerings, we believe it bites hardest around three key internal and three key external threat scenarios, which we’ve paraphrased from this recent research:

(including employee mistakes and malicious insiders)

  • Making lost data valueless if found – in other words, encryption methods that keep data safe if a device with personally or professionally identifiable information on it is lost or stolen.
  • Remote kill and wipe, to easily remove data from lost or stolen devices, or render them unusable, no matter where they are in relation to the user.
  • Data loss prevention (DLP), to control the types and sensitivities of data that users move around or out of the organisation.

(third-parties exploiting the organisation)

  • Locking-down, to control what kind of applications can and can’t run on an endpoint
  • Virtual patching, to stop remote exploitation of unpatched vulnerabilities
  • Breach detection, to flag where a network has been compromised, and thus enable users to block attempted data theft.

Should security partners be quaking at the sound of these snapping jaws? Not a bit of it.

Security solutions are already available that enable partners to deliver many of these GDPR-focused benefits to end-users, from vendors including Trend Micro (in both SMB and Enterprise formats) and others.

Plus, a recent survey of European businesses cited in this Information Age article found that 69% of those polled are not only likely to invest in security technology as a result of GDPR, but to do so in areas including file-sharing. (This hints at a growth in the cloud app-centric security requirement space, into which, as we discussed in an earlier post, at least one vendor already plays strongly.)

GDPR opportunities – 3: The size of the market

But it’s filthy lucre, predictably, that hints most effectively at the pot of GDPR gold at the end of the partner rainbow. And make no mistake, we are talking big money here.

, for example, has predicted that GDPR will create a $3.5 billion market opportunity for security and storage vendors – in which their partners, of course, will share – as the severity of fines drives enterprises to “radically shake up their data protection practices, seeking…new technologies to assist with compliance.”

An additional push factor in the groundswell of GDPR opportunities for security partners also came with the recent comment by the European Commission's Justice Directorate, according to the International Association of Privacy Professionals (IAPP), that companies judged to have invested responsibly in security can, under certain conditions, see any fines for non-compliance reduced.

Security partners, it seems, are likely to become many businesses’ new best friends!

GDPR: What next for security partners?

This piece in ChannelPro perhaps best expresses what partners need to do, as GDPR relentlessly approaches, to turn a disruptive regulation into a profitable business opportunity:

“1. Read up on the changes and ensure they become the trusted expert on the new regulations

  1. Educate their customers about the impact of the EU GDPR
  1. Ensure they’ve got the solutions available to help customers with compliance”

From where we’re standing, point 3 looks to be the least of partners’ worries…

Padlocks SecurityMultiple combined security solutions can be expensive for partners and customers alike, and can cause security gaps. So do integrated suites make more sense?

Calling all security partners - here's a scenario you might recognise: you sell the customer an individual “point” solution to address a specific security need, then you widen the customer’s understanding of their needs and gradually sell them a range of other point solutions to suit. Right?

But is this really the most profitable sell? And isn’t its viability called into question by the fact that the point solutions are only as robust as the glue that’s holding them together?

Here’s what some of the security partners who are our customers told us.

"Individual security solutions inflate costs."

As the quote above suggests, partners must balance the relative ease of progressively selling point solutions with the upward price spiral (and competitive impact) that this process tends to introduce.

Integrated suites of solutions, however, typically tend to be priced much more favourably; entire suites of security products can often be bought by the partner for a fraction of the price of combining point solutions!

But it’s not just about licensing costs. As you’ll read below, industry analysts support the idea that an ecosystem of integrated solutions will be more resource-efficient, enabling repositories to be shared effortlessly between the component solutions within it, and minimising operational costs too.

“Managing complexity is an expensive problem with point solutions.”

Essentially, this boils down to two issues.

Firstly, effective security has to work seamlessly across multiple layers (endpoint, application, network) but it has to do so in a user-centric way.

But if you stitch myriad point solutions together there is typically no centralised console for easily managing security across all these layers. Solutions for every layer then have to be managed in isolation, seamlessness evaporates, and admin and management overheads are multiplied, biting deeply into operating margins.

Secondly, point solutions, by their nature, are not greatly flexible, so they put partners into a complex and therefore potentially costly technical position when it comes to scaling to meet growing user demand, or deploying across mixed on-premise, cloud and hybrid environments.

In short, layered security suites are essential to enable partners to protect their customers comprehensively – but if those layers can’t be controlled from a “single pane of glass” then those partners are heading for a huge profitability drain.

“Combining point solutions doesn’t work 100% - it leaves security gaps.”

This is perhaps the most fundamental observation of all, explained best by industry analyst firm Forrester in this paper.

They say that in systems “protected by separate point products with isolated intelligence analysis/policy engines and management consoles, complexity increases and gaps in security coverage are more likely to present opportunities for exploit by malicious parties.”

They also confirm that integrated suites incorporating layered security offer partners (and customers) significant reductions in “operational friction” and cost, as we have already mentioned above.

“Point solutions have limited threat coverage.”

Related to what we’ve said above, if point solutions struggle inherently to work together, it’s logical to assume that, as attack surfaces and threat vectors proliferate, this shortcoming degrades even further - and there comes a juncture when point solutions effectively become functionally unable to cover off the full spectrum of threat sources.

A cursory glance at the kind of threats that integrated security solutions must now protect against reinforces this view.

Endpoints, smartphones and tablets no longer cut the mustard. Instead, protection must extend to USB, removable drives, mail and file servers, messaging and web gateways, collaboration portals, instant messaging (IM) servers – and, as we noted in a previous post, cloud applications (like Office 365) whose use within businesses is skyrocketing.

Clearly, however, not all point solutions are created equal. A carefully assembled, multi-vendor solution, using only established best-of-breed components, might arguably be up to the tasks demanded of it -  but at what cost?

Disparate licensing agreements. Disparate billing arrangements. The need for a separately purchased and configured remote monitoring and management (RMM) console...

These obstacles are a world away, in cost and complexity terms, from a one-vendor solution with specialist components that target specific security layers, and with its own in-built "single pane of glass", delivering unified management, from very first use, across the customer's entire security estate.

Buyer beware!

Conclusion: integrated suites make security (and business) sense

According to experts quoted in security publication CSO Online, 2016 is the year of advanced cyber attacks, insider threats, ransomware, “cloud wars” - and a huge shortage of in-house cyber talent that security partners will have to help their customers to fill!

Against the backdrop of this surging demand, the notion that partners can profitably supply and effectively manage individual point solutions to simultaneously address such a vast (and growing!) expanse of ever more sophisticated threat sources doesn’t stand up to reasoned analysis.

There seems to be only one sensible way forward for partners in the security channel, and Forrester once again nails it when it writes: “Integrating the security management and analysis within each layer is crucial when protecting against advanced or targeted attacks.”

The day is surely coming when there simply won’t be much point in point solutions.

Over the last week we have seen an increase in the amount of companies receiving emails containing Zepto Ransomware, a file encrypting virus based on the infamous Locky cryptoware.
Most of the emails have been carefully crafted to ensnare the victims using social engineering techniques, typically greeting the recipient by first name and asking them to open an attachment which they had requested.
zepto image
The attachment will typically be either a .zip extension or .docm extension and once opened will run a malicious JavaScript which then encrypts all files on the users machine with the .zepto extension

To try and combat the infection, we offer the following advice
1. To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
2. To protect against VBA malware, tell Office not to allow macros in documents from the internet.
3. Ensure your AntiMalware program is upto date
4. Ensure your users are careful with email attachments and only open the ones they are sure they have requested
5. If possible set email filtering to quarantine all .zip and .docm files

cloud-application-controlWhat customers' employees do within web, cloud and social apps can be a significant threat to their business. We look at how they can limit the risks.

We recently took a look at vendors’ web security offerings, and came to the conclusion, in this post, that much of this risk landscape is being driven by employees and their ceaseless interactions with the raft of web, cloud and social media applications on which so many agile business processes now depend.

As this excellent piece in ITPro explains, it is now imperative for businesses to “understand exactly how data is moving in, around and out of your organisation”, and to provide the “visibility and the ability to discover, analyse and control the information staff are accessing or sharing.”

Whether businesses are updating marketing posts on Facebook, drilling down into Salesforce, uploading price lists to Dropbox, liking comments on Twitter, or using cloud data storage applications (as some 52% of small and medium-sized businesses in the US alone seem now to be doing, according to this Cloudwards article), the potential for both intentional and unintentional data compromise or reputational damage is high.

So how do security vendors tackle this end-user challenge, and create cloud application control solutions that MSPs and other partners can sell and provision to customers profitably?

 Cloud application control: the all-seeing-eye?

The first thing to say here is that cloud application security is not simply about automatically blocking malware, or filtering out clicks on risky URLs, or scanning for abusive language.

Rather, it is about being able to visualise and analyse all users’ application activity simultaneously and in one place, make informed human business risk decisions on it, and, where necessary, change parameters and automated settings to suit.

So, for example, why is a user uploading or deleting a profile image? Are they trying to hide their identity?

Why is someone removing a public link – was something there that should not have been exposed to public view in the first place? If so, how do you address the process failure that allowed such a link to then be posted?

Why is someone permanently deleting files from a recycle bin – are they trying to cover their tracks? For what reason?

With or without malicious intent, these are potentially damaging behaviours – but it takes a human eye to assess them, and that can only happen if all relevant information and alerts are assembled in one dashboard, where they are easy to interpret, at minimum management overhead.

Cloud application control consoles are therefore critical, enabling end-user and MSP alike to monitor and manage both users’ behaviours and the service that is being delivered.

Cloud app control – it’s not everywhere

Yet take a look at the “Treacherous 12” top cloud computing threats recently listed by the Cloud Security Alliance at the recent RSA Cybersecurity Conference, as reported in this Infoworld article, and it hardly paints a picture of a cloud application risk landscape that has been comprehensively tamed.

On the one hand, this presents a healthy sales opportunity for MSPs, who can deliver cloud application control solutions as an inroad into new clients.

But it also provides MSPs with a means of protecting themselves against the ever more litigious risks associated with other cloud applications that they already deliver to their customers.

To give just one rather urgent example, according to this TechTarget article some 75% of all cloud apps used in European enterprises are out of compliance with the new EU data protection regulations that are set to take effect in less than two years – and any MSP providing or provisioning them will be liable, as the incumbent “data processor”, for any security breaches sustained.

Overlaying cloud application control on these existing apps could help to significantly reduce many MSPs’ exposure to this kind of risk, or at least expel any ambiguity as to what is a breach occasioned by vulnerabilities in the application itself, and what is a breach caused by risky operator interaction with the cloud application environment.

Who sells cloud application control solutions?

Unsurprisingly, these factors (and others) have encouraged industry analysts to comment enthusiastically on the projected rise of cloud application-specific security solutions. Channel Pro, for example, has cited Gartner’s statement that, in 2016, 25% of enterprises will use a cloud access security broker.

But this presents something of a difficulty, given that there are actually so few vendors producing solutions in this space.

One player that has broken the mould, however, is CensorNet, and for good reason. It has developed a cloud app control solution that hits on all the critical MSP hot buttons at once – it is white-labelled to boost the MSP’s brand profile, can be up and running without infrastructure costs, is deployable in minutes, and offers stellar system performance and scalability thanks to its proxy-less architecture.

Yet one swallow does not a summer make. Can MSPs take cloud application control mainstream with so few vendors in the frame?

Put it this way, they’re going to let down a lot of customers if they don’t. Consider this: the average employee already accesses seven different web applications at work, but according to one recent article, 58% of respondents had no training in how to use those apps safely, 39% were unaware of the risks associated with them, and 44% hadn’t been trained in how to transfer and store corporate data securely.

Add to that the revelation, in the same article, that 23% of respondents have already experienced cloud data losses or breaches, and 20% have reported unauthorised access to their data or services, and the need for organisations to understand who is doing what in the cloud, to what, and why, is no longer a nice-to-have – it’s a critical imperative.

Over to you, MSPs...

Cloud App SecurityOffice 365, Google Drive, Sharepoint: businesses love them, but we ask if security vendors do enough to help partners address their known vulnerabilities – profitably!

In a recent post, we looked at the known security limitations of cloud-delivered applications like Office 365, Google Drive, Sharepoint, and others.

As we pointed out, identifying security weaknesses in these platforms and providing cloud app customers with solutions to them can prove profitable, according to industry commentators – but are security vendors even addressing this space in the first place, let alone in a way that enables vendors to make viable margins out of it?

Cloud application security: how big is the pie?

The first point we need to make here is that the potential market for these kind of security solutions is big and growing. Since 2011, as this Worldwide Cloud Applications Market Forecast 2015 – 2019 shows, the Cloud applications market has more than doubled, and now accounts for 20% of the overall enterprise applications space.

By 2019, Cloud applications subscription revenues could make up 35% of the total addressable market opportunity.

Captured amongst all that, of course, are the very applications businesses most want MSPs and other partners to provide – hosted email, file sharing, collaboration, and so on.

And these are the very applications that, whilst delivered in a secure manner, are not fully able to secure the content that passes through them, making them vulnerable to risks like advanced and hidden malware, ransomware, phishing attacks, leaking of sensitive data, file sharing on unauthorised devices, and remote user network breaches.

In short, there’s plenty of pie available – and cloud application security is potentially the utensil that enables MSPs and other partners to carve themselves a sizeable slice of it!

Delivering security for cloud apps: how hard can it be?

But the second point we have to consider is that cloud applications need security that is built expressly for cloud computing conditions – and existing security techniques fall down badly in this respect, resulting in few solutions that are fit for purpose.

Just take a look at traditional web monitoring, for example – it funnels traffic out of the cloud and into a separate service, adding significant latency that negatively impacts both performance and capacity.

Only if pre-cloud approaches are consigned to the dustbin, and direct cloud-to-cloud API integration is offered in its stead, can vendors play strongly in this space, and partners reap the benefits.

In this scenario, a literally instant cloud app security deployment is possible, requiring nothing more than the submission of administrator credentials for the apps in question.

Bundling, licensing, pricing – can partners make money out of cloud app security?

Quite apart from the fact that very few vendors are actually active in the cloud app security space in any serious way, my third point is as much to do with the partner model as it is with the scarcity of those offerings.

Even if solutions were plentiful, reselling them in a subscription or perpetual licensing model produces the same challenges that any other reseller in any other IT market encounters – high upfront subscription costs, unpredictable income, lack of flexibility to scale services up and down (and missing out on the additional revenue that such upscaling generates).

The risks of this approach are well documented - but then if so few vendors are in this space in the first place, how many of them do we think are in a position to offer the potentially more profitable MSP alternative?

Then there’s the question of how vendors actually incorporate cloud app security offerings into their overall security portfolio – or don’t! Currently, the view from the bridge here is that one prominent vendor is now bundling cloud app security within its existing security services, in a cloud-based MSP model, at no extra licensing charge – but other vendors haven’t even started to play catch-up on this.

In conclusion: cloud app security vendors could do better

There it is, then: cloud app security solutions are rarer than hen’s teeth!

They demand an instantly deployable, cloud-centric architecture that most security vendors simply haven’t applied to this space, a margin-rich partner model that the vast majority of vendors seem unready to offer, and a “business as usual” attitude to bundling that, for many vendors, seems too radical a string to add to their bow.

That massive cloud app pie is there for the securing – but, as it stands, most vendors aren’t even making a dent in the crust, still less serving up anything that profit-hungry partners would find a tasty proposition.